11-10-2014 02:07 AM
Hi,
We implemented PA3050 as internal firewall. We configured it as L3 and caters up to 200+ static routes. When we try to remove a single route in virtual router and commit, approximately 20 minutes before it takes effect. Is this normal in Palo Alto?
Thanks,
MBS
11-10-2014 05:09 AM
Hello MBS,
AS per my understanding, this behavior is not expected on a PAN firewall.Do a show jobs all to see if the commit itself went fine?
Check show system resources for mgmtsrvr, devsrvr and routed and notice if one of them is abnormally high.
If possible, try restarting the management server and routed process
> debug software restart management-server
> debug software restart routed
Thanks
11-10-2014 05:59 AM
Hi MBS,
With successful commit static route changes should be in effect. It shouldn't delay it by 1 minute. Most likely routed process has issue.
Kindly provide us output for
1. show system resource | match routed
2. show system resource | match dev
3. show system resource | match mgmt
If above values are close to 1000 Mb than its good to restart those processes. Commands to restart processes are.
> debug software restart devsrvr
> debug software restart routed
> debug software restart mgmtsrvr
Make sure you check usage before restarting any process.
Regards,
Hardik Shah
11-10-2014 07:20 AM
Hi HULK and hshah,
Thanks for the feedback. See below output as requested.
PA3050-Primary(active)> show system resources | match routed
2900 20 0 120m 20m 9904 S 0 0.5 0:45.05 routed
PA3050-Primary(active)> show system resources | match dev
2868 20 0 250m 116m 13m S 2 3.1 2:29.02 devsrvr
662 16 -4 1908 700 472 S 0 0.0 0:00.70 udevd
PA3050-Primary(active)> show system resources | match mgmt
2869 20 0 664m 477m 9020 S 0 12.7 4:55.33 mgmtsrvr
We also have this weird problem that one of our static route entry is automatically deleted. PANOS version is 6.0.5 h3. Any known issues about it?
Thanks,
MBS
11-10-2014 01:41 PM
Hi Mbs,
None of the process is over utilized, hence logically I cant ask for process restart. Do you see any error logs in routed daemon.
less mp-log routed.log
Regards,
Hardik Shah
11-10-2014 07:59 PM
Hello Mbs,
It would be better to open a ticket with Palo Alto TAC. They will identify, why the route information is not being pushed, even after a successful commit.
You may update below mentioned CLI output ( during commit) for a deeper analysis here too
.
> show system resources | match mprelay
> tail follow yes mp-log routed.log
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
